ZCR 6 – Document cybersecurity requirements, assumptions and constraints
Reference: ISA/IEC 62443-3-2, Clause 4.7
ZCR 6.1: Cybersecurity requirements specification
Clause: 4.7.2
Summary
Create a CRS that records mandatory security countermeasures for the SUC based on the
detailed risk assessment, plus general security requirements from company or
site-specific policies, standards and applicable regulations. As a minimum the CRS shall
include the content required by ZCR 6.2 through ZCR 6.9.
Clear documentation keeps owners, integrators and suppliers working from the same target.
ISA technical reports on related CRS content can supplement — they do not replace the
minimum list in Part 3-2.
ZCR 6.2: SUC description
Clause: 4.7.3
Summary
Include a high-level description and depiction of the SUC: name, function, intended use,
and a description of the equipment or process under control. Illustrations of data and
process flows strengthen the description.
ZCR 6.3: Zone and conduit drawings
Clause: 4.7.4
Summary
Produce drawing(s) that show zone and conduit partitioning for the whole SUC, and assign
every asset to a zone or a conduit.
ZCR 6.4: Zone and conduit characteristics
Clause: 4.7.5
Summary
For each zone and conduit, document at least: unique name/ID; accountable organisation(s);
logical boundary; physical boundary where applicable; safety designation; logical and
physical access points; data flows per access point; connected zones/conduits; assets
with classification, criticality and business value; SL-T; applicable security
requirements; applicable security policies; and assumptions plus external dependencies.
Those fields exist for design, accountability and monitoring: they mark who owns the
partition, where traffic enters, what would be lost if it fails, which SL-T and policies
apply, and what outside factors (power, outer networks, physical layers) the design
assumes. Final security-requirement lists typically wait until the detailed assessment in
ZCR 5 is complete.
ZCR 6.5: Operating environment assumptions
Clause: 4.7.6
Summary
Document the physical and logical environment where the SUC sits or will sit — site layout,
rooms, cabling, site security plans, networks, protocols and interfacing OT/IT systems,
plus supporting utilities and safety systems that shape the operating context.
ZCR 6.6: Threat environment
Clause: 4.7.7
Summary
Describe the threat environment affecting the SUC, naming intelligence sources and covering
both current and emerging threats (CERTs, ICS-CERT, ISACs, suppliers, advisories,
government agencies, commercial threat feeds, and similar).
ZCR 6.7: Organizational security policies
Clause: 4.7.8
Summary
Include in the CRS the countermeasures and features that implement the organisation’s
security policies so baseline policy is not lost when the system is designed.
ZCR 6.8: Tolerable risk
Clause: 4.7.9
Summary
State the organisation’s tolerable risk for the SUC inside the CRS so designers and
approvers work to the same acceptance bar.
ZCR 6.9: Regulatory requirements
Clause: 4.7.10
Summary
Record any cybersecurity regulatory requirements that apply to the SUC so compliance
obligations travel with the design package.